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Amendments to the Claims: 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 

1. (currently amended): A method of generating kernel audit data comprising: 

storing system call parameters or data the parameters point to at the beginning of a 
system call; 

enabling the generation of audit data when a device driver is opened for read, and halting 
data generation when the device driver is closed: and 

and triggering data delivery at the end of [[the]] a system call path and generating an 
audit record and depositing the audit record in a circular buffer. 

2. (currently amended): Hie method of claim 1, wherein for each system call that 
accesses files, storing related file infoimation. 

3. (original): The method of claim 2, wherein related file information includes file 
owner or group and the file information is stored before any modifications occur that might 
affect the file information. 

4. (original): The method of claim 1, wherein system call parameters that include path 
name parameters are stored with full path name information. 

5. (original): The method of claim 1, wherein the audit record is a tokenized audit 

record. 
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6, (original): The method of claim 1, further comprising reading audit records from the 
circular buffer. 

7. (original): The method of claim 6, wherein the reading is triggered using a device 
read call. 



8. (currently amended): The method of claim 1, comprising maintaining system wide 
configuration related data structures and setting selection masks based on such structures for 
specifying data to be delivered , 

9. (original): The method of claim 1, comprising collecting data in the system call path 
and formatting the collected data into an audit record. 

03 

10. (original): The method of claim 9, wherein the collected data is a token stream. HI 

CO 

> 

11. (original): The method of claim 1, comprising if the circular buffer is full, then either <^ 
reading some of the audit records from the circular buffer or dropping new records until space 
becomes available in the circular buffer, 

m 
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12. (currently amended): The method of claim 4, comprising maintaining root and current 



o 



dirootiono directories while threads are in the middle of system call processing. "D 

*< 

13. (original): The method of claim 9, comprising selecting which data to collect before 
said collecting step. 
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14. (original): The method of claim 13, wherein said selecting step can be based on 
process, user, group, filename information and/or time intervals. 

15. (original): The method of claim 1, further comprising detecting hard link accesses to a 
critical file, 

16. (original): The method of claim 15, comprising maintaining a critical file list for 
monitoring hard links. 

17. (currently amended): The method of claim 5, wherein [[the]] tokens of the tokenized 
audit record are either primitive or composed, 

18. (currently amended): The method of claim 13, wherein said selecting step can be ^ 
based on [[the]] an outcome of system calls including pass, failure or both, £11 



CO 
H 



19. (currently amended): The method of claim 1, further comprising presenting dopooitod 
delivered data to a user space via a device driver in the kernel. 




CD 



20. (original): The method of claim 13, comprising configuring which system calls are 
audited by making ioctlQ (control) calls on a device driver. 



m 



o 
O 

■< 



21. (canceled). 
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22. (new): A method of generating kernel audit data, comprising: 

storing system call parameters or data the parameters point to at the beginning of a 
system call; 

triggering data delivery at the end of a system call and generating an audit record and 
depositing the audit record in a circular buffer; 

selecting data to be collected based on an outcome of a system call including pass, failure 
or both; and 

collecting data in the system call and formatting the collected data into an audit record. 

23. (new) A method of generating kernel audit data comprising: 

storing system call parameters or data the parameters point to at the beginning of a 
system call; and 

triggering data delivery at the end of the system call and generating an audit record and 
depositing the audit record in a circular buffer if, based on the success or failure of tide system 
call, auditing of the system call should continue as specified in a post-call selection flag. 
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